Compare global privacy regulations quickly.

Complete Guide to GDPR: General Data Protection Regulation

Sep 24, 2021 | Regulations

map of China

Written by Rick Buck, Chief Privacy Officer, WireWheel

Introduction

The General Data Protection Regulation (GDPR) was adopted on April 14, 2016 and went into effect on May 25, 2018. The GDPR governs data protection and privacy in the European Union and in the European Economic Activity (EEA).

The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

The GDPR was the first comprehensive data privacy law and has inspired other legislations around the world from the California Consumer Privacy Act (CCPA) to Brazil’s Brazil’s Lei Geral de Proteção de Dados (LGPD).

Official text

Click here to access the full official text of the GDPR.

Effective Date

The GDPR went into effect on May 25, 2018.

Applicability

The GDPR applies to both Data Controllers and Data Processors:

  • Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU,
  • Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.

Covered Personal Information

Under this EU Data Protection Law, Personal data is any information relating to an identified or identifiable data subject. 

The GDPR prohibits the processing of defined special categories of personal data unless a lawful justification for processing applies.

Sensitive Data

The following personal data is considered ‘sensitive’ under the GDPR and is subject to specific processing conditions: 

  • Racial or ethnic origin,
  • Political opinions,
  • Religious or philosophical beliefs,
  • Trade-union membership,
  • Genetic data,
  • Biometric data processed solely to identify a human being,
  • Health-related data,
  • Sex life or sexual orientation.

Anonymous, De-identified, Pseudonymous, or Aggregated Data

Under the GDPR, Pseudonymous data is considered personal data. 

Anonymous data is not considered personal data. 

While the GDPR does not mention de-identified data, the CCPA definition is similar to GDPR’s concept of anonymous data.

Children

The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.

Children must receive an age-appropriate privacy notice. 

Children’s personal data is subject to heightened security requirements.

Privacy Notice

Under this privacy regulation, data controllers must provide detailed information about their personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.

Consumer Rights

The GDPR introduced the following consumer rights:

  • Right to information,
  • Right to access,
  • Right to rectification,
  • Right to erasure,
  • Right to restriction of processing,
  • Right to data portability,
  • Right to objection,
  • Right to avoid automated decision-making.

Contracting

The GDPR requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller. The contract should include:

  • Type of data,
  • Duration of processing,
  • The rights and obligations of both parties, with specific obligations for the processor.

Data Protection Assessments

The GDPR Article 35, requires data protection assessments when processing personal data for certain functions such as targeted advertising, the sale of the data, certain types of profiling, the processing of sensitive data, and processing that presents a heightened risk of harm to consumers.

Transfer Impact Assessments are required for all transfers of sensitive data outside of the EEA.

Enforcement

The GDPR is enforced by the European Data Protection Board (EDPB) as well as binding decision-making by the Data Protection Authorities (DPA) of the member states.

Private Right of Action

The GDPR does have a provision for private rights of action.

Penalties and Damages

Under the GDPR, administrative fines can reach up to EUR 20 million or 4% of annual global revenue, whichever is highest

Cure Period

The GDPR does not provide a cure period.

Exemptions

The only way to be exempt from the GDPR is if you: 

  • Actively discourage the processing of data from EU data subjects (i.e., block your site in the EU),
  • Process personal data of EU citizens outside the EU as long as you don’t directly target EU data subjects or monitor their behavior.

Data Breach

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.     

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The notification referred to in paragraph 1 shall at least:

a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b) communicate the name and contact details of the data protection officer or other contact points where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

See how the GDPR compares to other privacy regulations such as CCPA, LGPD, and more on our interactive privacy table.

Suggested Blog Posts